APPROACH TO INFORMATION SECURITY RISK ASSESSMENT FOR A CLASS «1» AUTOMATED SYSTEM
DOI:
https://doi.org/10.28925/2663-4023.2020.10.98112Keywords:
automated system; risk management; information security management system; vulnerabilityAbstract
The article is devoted to the assessment of information security risks in automated systems of class "1". An adapted approach to the assessment of information security risks in such automated systems using the Methodology and requirements of the standards of GSTU SUIB 1.0 / ISO / IEC 27001: 2010 and GSTU SUIB 2.0 / ISO / IEC 27002: 2010 is proposed. The efficiency and methods of implementation of the approach are proved on the example of consideration of real threats and vulnerabilities of class 1 automated systems. The main requirement for the creation of information security management system in the organization is risk assessment and identification of threats to information resources that are processed in information and telecommunications systems and speakers. The basic standards on information security in Ukraine are considered, which give general recommendations for the construction and assessment of information security risks within the ISMS. The most common methods and methodologies for assessing information security risks of international standard are analyzed, their advantages and disadvantages are identified. The order of carrying out of works on an estimation of risks of information security of the AS of a class "1" is defined. The vulnerabilities considered by the expert according to the standard ISO/IEC 27002:2005 and the Methodology are given. A conditional scale for determining the impact on the implementation of threats to integrity, accessibility, observation is given. Measures and means of counteracting the emergence of threats are proposed. This approach can be used both for direct information risk assessment and for educational purposes. It allows to get the final result regardless of the experience and qualifications of the specialist who conducts risk assessment, with the subsequent implementation and improvement of the existing risk management system in the organization.
Downloads
References
V. Buryachok. Fundamentals of the formation of the state system of cyber security: Monograph. - К .: NAU, 2013. - 432 p.
Ya.V. Roy and N.P. Mazur and P.M. Skladannyi, "Information security audit - the basis of effective enterprise protection", Cybersecurity: education, science, technology. № 1 (1). Pp. 86-93, 2018.
A. Lagun. Risks of information security of IT-enterprises [Electronic resource] / A. Lagun, N. Kukharska // Information protection and security of information systems: VII International scientific and technical conference, Lviv, May 30-31, 2015. - Available: https://webcache.googleusercontent.com/search?Q=cache:_mlalmxnnaej:https://sci.ldubgd.edu.ua/bitstream/handle/123456789/750/11.doc%3Fsequence%3D1% 26isallowed% 3Dy + & cd = 2 & hl = ru & ct = clnk & gl = ua & client = firefox-bd [10.09.2020].
Pastoev A., "Methodologies of IT risk management", Open systems. DBMS. №8. 2006. [Electronic resource] Available: https://www.osp.ru/os/2006/08/3584582 [10.09.2020].
В.В. Yermoshin, Ya.V. Nevoit, "Analysis and assessment of information security risks for banking and commercial systems", Modern information security. № 3. Pp. 26–29. 2014
Methodical recommendations for the implementation of the information security management system and risk assessment methods in accordance with the standards of the National Bank of Ukraine: Letter of the National Bank of Ukraine dated 03.03.2011 № 24-112 / 365 [Electronic resource]. Available: https://zakon.rada.gov.ua/laws/show/v0365500-11#Text [10.09.2020].
S.S. Buchik, S.V. Melnyk, "Methods of assessing information risks in an automated system", Problems of creating, testing, application and operation of complex information systems: a collection of scientific papers. №11. Pp. 33–42, 2015.
